Solved Search engine results redirect to unwanted sites when clicked on..

Status
Not open for further replies.

hostile17

Posts: 10   +0
...to places like bwlyli.net and other search sites. Please help.

Here are 8-step logs as requested:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5213

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/29/2010 2:30:54 AM
mbam-log-2010-11-29 (02-30-54).txt

Scan type: Quick scan
Objects scanned: 135265
Time elapsed: 6 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-11-29 02:46:53
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Steven\LOCALS~1\Temp\kxayypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- EOF - GMER 1.0.15 ----




DDS (Ver_10-11-27.01) - NTFSx86
Run by Steven at 2:48:14.46 on Mon 11/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.640 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Steven\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mPolicies-explorer: NoPopUpsOnBoot = 1 (0x1)
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\documents and settings\steven\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\steven\application data\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\steven\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\steven\applic~1\mozilla\firefox\profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-9-17 28552]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2010-9-17 3968]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-7-13 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-7-13 74480]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\b.tmp --> c:\windows\system32\B.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-7-13 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2010-1-10 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-27 312152]

=============== Created Last 30 ================

2010-11-29 08:58:26 -------- d-----w- c:\windows\system32\NtmsData
2010-11-29 08:56:41 -------- d-----w- c:\docume~1\steven\applic~1\Avira
2010-11-28 13:02:12 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-28 12:52:47 -------- d-----w- c:\program files\ProcessExplorer
2010-11-28 12:27:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-28 02:10:38 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-26 12:23:39 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-26 12:23:38 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-26 12:17:02 222080 ------w- c:\windows\system32\MpSigStub.exe

==================== Find3M ====================

2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 02:36:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-18 02:36:50 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 2:49:03.06 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-11-27.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 7/13/2009 4:50:11 AM
System Uptime: 11/29/2010 2:43:17 AM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | Amberine M
Processor: AMD Sempron(tm) Processor 3400+ | Socket 939 | 1989/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 186 GiB total, 111.189 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 11/27/2010 7:16:31 PM - System Checkpoint
RP2: 11/28/2010 12:32:06 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP3: 11/28/2010 12:44:24 AM - Revo Uninstaller's restore point - Microsoft Security Essentials
RP4: 11/28/2010 4:27:15 AM - Software Distribution Service 3.0
RP5: 11/28/2010 4:34:20 AM - Software Distribution Service 3.0
RP6: 11/28/2010 4:36:40 AM - Software Distribution Service 3.0
RP7: 11/28/2010 6:20:52 PM - Restore Operation
RP8: 11/29/2010 2:40:23 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus
RP9: 11/29/2010 2:41:43 AM - Revo Uninstaller's restore point - Avira AntiVir Personal - Free Antivirus

==== Installed Programs ======================

Acez All Audio Converter v3.0
Across Lite
Adobe AIR
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
Adobe Shockwave Player 11.5
Advanced SystemCare 3
Apple Application Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audacity 1.2.6
AVG Anti-Rootkit Free
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 1.1
Canon MX850 series
Canon MX850 series User Registration
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Canon Utilities Solution Menu
CCleaner
Chinese (Simplified) Language Support
Combined Community Codec Pack 2008-09-21 16:18
Compatibility Pack for the 2007 Office system
Crossword Compiler 8 Demo
Data Fax SoftModem with SmartCP
EasyCleaner
EclipseCrossword
Eraser 5.8.7
Eusing Free Registry Cleaner
Express Rip
Facebook Plug-In
Free Video Joiner 1.1
GoToMeeting/GoToWebinar 3.0.0.198
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
IObit Security 360
Java Auto Updater
Java(TM) 6 Update 21
JDownloader
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works 2000
MixPad Audio Mixer
Mozilla Firefox (3.6.4)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.1
Presto! PageManager 7.15.20
QuickTime
Rand McNally Route Planner
Realtek AC'97 Audio
Recipe4win
Recuva (remove only)
Revo Uninstaller 1.90
ScanSoft OmniPage SE 4
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows XP (KB923789)
Slice Audio File Splitter
Smart Math Calculator 2.2
Sophos Anti-Rootkit 1.5.4
SpywareBlaster 4.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB982632)
VC 9.0 Runtime
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 1.1.4
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinPatrol
WinRAR archiver
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger

==== Event Viewer Messages From Past Week ========

11/29/2010 2:43:41 AM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 0015F2A0150F has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
11/29/2010 12:48:18 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
11/29/2010 12:48:18 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Steven\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
11/29/2010 12:48:18 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
11/28/2010 5:07:55 AM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Steven.
11/28/2010 5:07:49 AM, information: Windows File Protection [64016] - Windows File Protection file scan was started.
11/26/2010 7:06:54 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.

==== End Of File ===========================
 
Welcome to TechSpot! I'll help with the problem. But first order of business is antivirus program. I see 2 restore points were set for Avira. But I don't see it listed as installed nor are there any processes for it running. Please handle that first and get an AV program running. Be sure to reboot the computer after installing the AV.

Please disable the following while I am working with you: they could affect the scans:
1. AVG Anti Rootkit
2. Eusing Free Registry Cleaner
3. Sophos Anti-Rootkit 1.5.4

I recommend you uninstall the following:
The Eusing Free Registry Cleaner>.Most of us don't recommend using a registry cleaner.
IObit Security 360: Neither the program nor the site for download is recommended. Better off the computer. I'll have you do a security search later and we'll see what's lacking. But AV need to be done now.
=================================
Important:For Notepad: when you open Notepad for a log, first click on Format> Uncheck 'Word Wrap'.

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
============================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
====================================
Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Thanks for response.

I cannot Uncheck 'Word Wrap' because it is not checked in the first place.
Though, for some reason, ALL of my text documents, both new and old, started appearing in
italicized text a few days ago without any direct action from me. Is this a possible
symptom of an infection? All I can do is click 'Font' and select 'Regular'.




ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=ba10ddc74576dd488496cc56a33d4d6a
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-11-30 12:43:22
# local_time=2010-11-29 04:43:22 (-0800, Pacific Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 5262449 5262449 0 0
# compatibility_mode=1797 16775145 100 93 0 27489422 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=81598
# found=0
# cleaned=0
# scan_time=2534







ComboFix 10-11-29.03 - Steven 11/29/2010 16:56:44.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.556 [GMT -8:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 )))))))))))))))))))))))))))))))
.

2010-11-29 23:40 . 2010-08-03 00:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-29 23:40 . 2010-08-03 00:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-29 23:40 . 2010-06-17 23:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-29 23:40 . 2010-11-29 23:40 -------- d-----w- c:\program files\Avira
2010-11-29 23:40 . 2010-11-29 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-29 23:40 . 2010-06-17 23:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-29 10:58 . 2010-11-29 10:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-29 08:58 . 2010-11-29 10:13 -------- d-----w- c:\windows\system32\NtmsData
2010-11-29 08:56 . 2010-11-29 08:56 -------- d-----w- c:\documents and settings\Steven\Application Data\Avira
2010-11-28 13:02 . 2010-11-30 01:03 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-28 12:52 . 2010-11-28 12:52 -------- d-----w- c:\program files\ProcessExplorer
2010-11-28 12:27 . 2010-11-28 12:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-28 02:10 . 2010-11-28 02:10 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-26 12:23 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-26 12:17 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\documents and settings\Steven\Application Data\vlc
2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 10:58 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\documents and settings\Steven\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-18 19:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 22:28 . 2010-09-16 22:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ose"=3 (0x3)
"TMWebProtect"=2 (0x2)
"TmProxy"=2 (0x2)
"MatSvc"=3 (0x3)
"IS360service"=2 (0x2)
"sp_rssrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/29/2010 3:40 PM 135336]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\B.tmp --> c:\windows\system32\B.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\documents and settings\Steven\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Steven\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-29 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\B.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2016)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2010-11-29 17:08:46 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-30 01:08

Pre-Run: 118,391,615,488 bytes free
Post-Run: 118,272,585,728 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 5A3DD10E063274FCF388AEE1EE805A61



Thanks agian.
 
Please run this Custom CFScrip

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines./b]

Code:
File::
c:\windows\system32\B.tmp
c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

Driver::
MEMSWEEP2
Lavasoft Kernexplorer
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Uninstall Java v6u16 and v6u21. Update to v6u22> Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

The font change could be due to a corrupt file- right not, the system is looking pretty good. The Eset scan was clean.
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
I unchecked 'AntiVir Guard enable' and combofix said Avira was still active. Using msconfig, I unchecked all Avira related boxes and restarted the computer. Combofix still detected Avira as running, so I uninstalled Avira altogether. I re-installed Avira after combofix did its business and before running hijackthis.

Each time I open notepad, 'word wrap' is never checked, so I cannot uncheck it unless I first check it. Are these logs I am posting reflecting that, or something, and is it detrimental?


ComboFix 10-12-01.01 - Steven 12/01/2010 23:44:03.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.656 [GMT -8:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Steven\Desktop\CFScript.txt

FILE ::
"c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys"
"c:\windows\system32\B.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LAVASOFT_KERNEXPLORER
-------\Legacy_MEMSWEEP2
-------\Service_Lavasoft Kernexplorer
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))
.

2010-11-30 10:02 . 2010-11-30 10:02 -------- d-----w- c:\documents and settings\Steven\Local Settings\Application Data\Temp
2010-11-29 10:58 . 2010-11-29 10:58 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-29 08:58 . 2010-11-29 10:13 -------- d-----w- c:\windows\system32\NtmsData
2010-11-29 08:56 . 2010-11-29 08:56 -------- d-----w- c:\docume~1\Steven\APPLIC~1\Avira
2010-11-28 13:02 . 2010-12-02 07:43 -------- d-----w- c:\windows\system32\CatRoot2
2010-11-28 12:52 . 2010-11-28 12:52 -------- d-----w- c:\program files\ProcessExplorer
2010-11-28 12:27 . 2010-11-28 12:27 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2010-11-28 02:10 . 2010-11-28 02:10 83968 --sha-r- c:\windows\system32\netstat4.dll
2010-11-26 12:23 . 2009-08-07 03:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-26 12:17 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-21 12:24 . 2010-11-21 12:24 -------- d-----w- c:\docume~1\Steven\APPLIC~1\vlc
2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-10 20:49 . 2010-11-10 20:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 10:58 . 2010-09-18 02:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-18 19:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 22:28 . 2010-09-16 22:28 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2009-11-08 00:00 . 2009-11-08 00:00 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-11-08 00:00 . 2009-11-08 00:00 185240 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-11-08 00:00 . 2009-11-08 00:00 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoPopUpsOnBoot"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol]
2010-05-31 11:18 323976 ------w- c:\program files\BillP Studios\WinPatrol\WinPatrol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"VSSERV"=2 (0x2)
"LIVESRV"=2 (0x2)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"ose"=3 (0x3)
"TMWebProtect"=2 (0x2)
"TmProxy"=2 (0x2)
"MatSvc"=3 (0x3)
"IS360service"=2 (0x2)
"sp_rssrv"=2 (0x2)
"AntiVirService"=2 (0x2)
"AntiVirSchedulerService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/17/2010 10:49 AM 28552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/13/2009 10:41 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2009 10:41 AM 74480]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 4:00 AM 14336]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [7/13/2009 10:41 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/10/2010 3:58 AM 206608]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
FF - ProfilePath - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.aol.com/
FF - plugin: c:\documents and settings\Steven\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Steven\Application Data\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Steven\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\NOS\bin\np_gp.dll
FF - plugin: c:\windows\system32\TVUAx\npTVUAx.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: TVU Web Player: firefox@tvunetworks.com - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\firefox@tvunetworks.com
FF - Extension: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\kn5tze51.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-01 23:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(236)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-01 23:53:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-02 07:53

Pre-Run: 121,522,372,608 bytes free
Post-Run: 121,511,591,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C607CCF1719DE01102E83DB71F53EEAB




Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:08:33 AM, on 12/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1290949892671
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

--
End of file - 2418 bytes
 
You can delete these as they will be older versions:
2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

How is the system working now? Any redirects? The logs look good.
Did you use Groip Policy for:
"AntiVirusDisableNotify"
"UpdatesDisableNotify"

If not, I can change them so let me know.

Only 2 entries need removal in HIJ:
Please reopen to 'do system scan only.' Check the following entries if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all Windows except HijackThis and click on "Fix Checked."

The HJT log looks to be on the short side to me. There are no Browser Helper Objects (BHO) or no Toolbars. This is unusual especially noticing all you have set to start on boot.
 
There don't seem to be any redirects at this time, so, thanks for that!

I am not familiar with 'Group Policy'. I changed the settings manually, using
Windows Security Center. I have all three set back to 'Notify' now.

I don't know what to say about the lack of BHOs, but I do try to steer clear of
toolbars whenever possible.

On a side note, I have noticed many users in this forum with the same redirection issues that I experienced. Is this less of a 'virus' issue and more of a 'rootkit' issue. Or is there not really a difference? Am I wrong in stating that, while many security apps. block viruses, it seems that things like rootkits or other 'hidden objects' seem to be getting through? I'd really like to know which free programs are best suited for blocking potential threats of all types. Especially the ones that seem to elude the scanners of programs like Malwarebytes, SpyBot etc after you've been infected by them.

Also, what shall I do with combofix and the C:\Qoobox folder?

Thanks Again.
 
Many malware infections cause searches to be redirected. Some are rootkits, others are not. That's why the name "redirect virus" is wrong. There are also different types of redirects and ways of redirecting. This is a good reason why we discourage others from following malware cleaning help given to someone else. It has to be specific for what is happening to that user and what is the cause.

I am still concerned about how sparse the HijackThis log is. I don't even see what would be considered 'normal' entries. Maybe I'm so use to seeing log full of things that aren't needed that I don't recognize a log from a clean, lean system!

Considerations:
1.I would encourage you to remove this: IObit Security 360:
Review from PCMag:
Poor malware removal left many executables, some actually still running. Poor malware blocking did not prevent installation of malware. By default, installation changes your homepage and search provider.It just doesn't do the job of removing malware or preventing malware installation.
Even the IOBit sites aren't well rated by WOW.

2. I suggest you decide on running just one of the following not both. I see a potential for conflict with both running:
Sophos Anti-Rootkit 1.5.4
AVG Anti-Rootkit Free


3. Did you remove these old versions of HijackThis?
2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-19 10:13 . 2010-09-19 10:13 388096 ----a-r- c:\docume~1\Steven\APPLIC~1\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

4. Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Close all Windows except HijackThis and click on "Fix Checked."

5. Cleaning up: Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


If any of the cleaning programs remain, you can uninstall them and delete the logs.

Empty the Recycle Bin

Please see my next reply for some suggestions for good security.
 
As promised:
Tips for added security and safer browsing:
  1. Browser Security Settings: Custom is fine if the user did the settings. Mine are Custom. Default is okay too, but sometimes too restrictive.
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features: Make Internet Explorer safer.
  2. Have layered Security:
    • Antivirus Software(only one):Both of the following programs are free and known to be good:
      [o]Avira Free
      [o]Avast Home
    • Firewall (only one): Use bi-directional firewall. Both of the following programs are free and known to be good:
      [o]Comodo
      [o]Zone Alarm
    • Antispyware: I recommend all of the following:
      [o]Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    [o]Download ZonedOut and save to your desktop. this replaces IE/Spyad and manages the Zones in Internet explorer. This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    For IE7 and IE8, Windows 2000 thru Vista. No Windows 7 yet.
    IE/Spyad is not longer being supported. If you have this on your system, you should replace it with the following program. Make sure your IE8 is Up-to-date before adding sites to your restricted zone.
    Known issue: If you have "immunized" your computer with Spybot Search and Destroy, and use ZonedOut to "Remove All" restricted sites - ZonedOut will remove your trusted sites as well. Note that if you remove Spybot Search and Destroys Immunization the problem goes away...
    [o]MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    [o]Google Toolbar Get the free google toolbar to help stop pop up windows.
  3. Stay current on updates:
    [o] Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates.
    [o]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    [o]Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.
  4. Reset Cookies to prevent Tracking Cookies:
    [o]For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> check 'override automatic Cookie handling'> check 'accept first party Cookies'> check 'Block third party Cookies'> check 'allow per session Cookies'> Apply> OK.
    [o]For Firefox: Tools> Options> Privacy> Cookies> check ‘accept Cookies from Sites’> Uncheck 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')
    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List
  5. Do regular Maintenance
    Remove Temporary Internet Files regularly:
    [o]ATF Cleaner by Atribune
    OR
    [o]TFC
    Disable and Enable System Restore:
    [o]See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
  6. Practice Safe Email Handling
    [o] Don't open email from anyone you don't know.
    [o] Don't open Attachments in the email. Safe to your desktop and scan for viruses using a right click
    [o] Don't leave your personal email address on the internet. Have a separate email account at one of the free web-based emails like Yahoo.
 
I followed all of those instructions and everything seems to be in order. I'm going to check out those add-ons and firewall programs and your tips for added security and safer browsing. Thanks so very much, there's a lot of helpful info there.
 
Status
Not open for further replies.
Back